PA firewall traffic to AWS API gateway

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Thanks,

It seems the luck has not turned yet. This is my NAT statement.

charles07_0-1600263741361.png

i used this doc to create private API and endpoint

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-private-cross-account-vpce/

If i try https://PAWANPublicIP/test/  nothing loads

 

I tried creating new APi with this doc (change i created a private API)

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html

If i try https://PAWANPublicIP/test/helloworld?name=John&city=Seattle  nothing loads

 

No idea why is this happening, still trying the luck

 

Highlighted
L4 Transporter

Watch your security groups on the endpoint.  Also, check the firewall to ensure the Virtual Router has routes to the endpoint subnets. Have you tried deploying a bastion into the Trust side subnet to test the endpoint directly?  We need to determine if the issue is the firewall routing or the endpoint itself.

Highlighted
L2 Linker

Thank you @jmeurer 

hard word paid off, now am able to load the lamda function result, although it's showing {"message":"Forbidden"}

so happy at-least traffic reaching APiGW.

If  you have any idea why forbidden error, please share.

Highlighted
L4 Transporter

Good news.  Message forbidden could be a result of a iam policy on the gateway.  You may need to assign a role to firewall so that it has permission to access the gateway.  It could also just be a formatting error in the api call.  

if you deployed a bastion host into the firewall subnet, does it have the same response?

Highlighted
L2 Linker

screenshot attached

AWSapiGW.jpg

Highlighted
L4 Transporter

is that screen shot through the firewall, or direct from a test client?

 

Highlighted
L2 Linker

It's through the firewall.

 

Highlighted
L4 Transporter

Test it direct to the endpoint from an instance in the same subnet as the trust side of the firewall.  

Highlighted
L2 Linker

Hi @jmeurer 

Bastion host is not able to resolve the APIgw private URL. I gave 172.31.0.2 as DNS server for bastion host, still not resolving.

FW trust side IP is 172.16.99.x, VPC endpoint too 172.16.99.x and bastion host 172.16.99.

 

I read in various other forums "each endpoint also requires a valid API key supplied on a x-api-key HTTP header. If not present or valid, the APIs will return a 403 (Forbidden)"

https://codeburst.io/aws-api-gateway-by-example-3733d7792635

Highlighted
L4 Transporter

DNS server is the generally second IP of the VPC cidr. Ie, if your vpc is 172.16.0.0/16, dns is 172.16.0.2.  Looks like your vpc is 172.16 but you set your dns server to 172.31.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!